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1.  Introduction 


When  two  parties  with  conflicting  interests  (such  as  a 


bank  and  a customer,  or  two  competing  companies)  are  communi 


eating,  it  is  essential  that  the  originator  of  every  message 


(party  A)  sign  it,  and  that  the  receiver  of  every  message 


(party  B)  check  the  signature.  This  should  give  the  parties 


two  kinds  of  protection 


(i)  Both  party  A and  party  B should  be  protected  against 


forged  messages,  planted  in  the  communication  channel  by  a 


third  party  C which  pretends  to  be  party  A 


(ii)  Party  A should  be  protected  against  messages  forged 


by  party  B,  which  claims  to  have  received  them  (properly  signed) 


from  party  A 


The  first  kind  of  protection  can  be  guaranteed  by  using 


appropriate  coding  techniques,  which  are  known  only  to  A and  B 


The  second  kind  of  protection  seems  to  be  harder  to  obtain 


since  B should  know  enough  about  the  way  A signs  its  messages 


in  order  to  recognize  them,  and  yet  should  be  unable  to 


generate  them.  Note  that  when  the  signature  is  electronic 


a certain  pattern  of  0's  and  l's),  it  must  be  message 


dependent  — otherwise  B can  copy  A's  signature  and  attach  it 


If  the  network  of  communicating  parties  is  sufficiently 


big  (e.g.,  the  network  of  phone  or  mail  users),  it  is  completely 


impractical  to  use  a distinct  and  secret  signature  algorithm 


for  every  pair  of  potential  users.  In  their  excellent  paper  l l ) 


Diffie  and  Heilman  introduce  the  notion  of  a "public  key 
cryptosystem",  in  which  (among  other  things)  each  user  makes 
public  a quick  method  for  recognizing  his  signatures.  The 
resultant  "signature  directory"  is  available  to  anyone,  and 
thus  two  participating  parties  can  start  sending  signed 
messages  without  any  special  setup  (such  as  the  exchange  of 
secret  keys  via  special  couriers) . In  the  context  of  a public- 
key  cryptosystem,  protection  problem  (i)  becomes  a variant 
of  protection  problem  (ii)  , since  A and  B cannot  share  any 
information  which  is  kept  secret  from  C. 

Three  main  solutions  have  been  suggested  so  far  for  the 
electronic  signature  problem.  The  first  one  (chronologically) 
is  due  to  Rabin  [ 2 ] , and  it  is  based  on  probabilistic  ideas. 

Its  main  drawback,  however,  is  a fairly  complicated  signing 
and  verification  procedure.  The  second  one  is  the  Rivest- 
Shamir-Adleman  cryptographic  system  [ 3 ] , which  solves  both  the 
signature  and  the  security  problem  in  public-key  communications. 
The  main  problem  with  this  system  is  that  it  is  relatively 
slow,  since  messages  are  signed  by  performing  hundreds  of 
high-precision  multiplications.  Finally,  the  trapdoor  knap- 
sacks developed  by  Merkle  and  Heilman  [ 4 ] to  encode  data  in 
public-key  cryptosystems  can  be  used  to  generate  some  signatures, 
but  the  system  is  quite  awkward  to  use  since  only  a tiny 
fraction  of  the  set  of  all  messages  is  signable. 

The  purpose  of  this  paper  is  to  propose  a new  signature 


scheme  in  which  the  emphasis  is  on  speed  and  simplicity  — the 
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main  deficiencies  in  previous  systems.  Both  the  signing  and 
the  verification  can  be  done  by  performing  just  additions  and 
subtractions  —there  are  no  high-precision  multiplications  or 
complicated  bit  operations  involved.  The  electronic  imple- 
mentation of  the  scheme  can  be  simple  and  compact,  and  it  is 
particularly  useful  in  high-speed  applications  (e.g.,  keeping 
rapidly  changing  computerized  information  signed  at  all  times) . 

This  paper  describes  only  the  basic  signature  scheme. 

There  are  many  possible  variations,  improvements  and  additions 
to  the  scheme,  which  might  increase  its  security  or  simplify 
its  implementation.  We  do  not  have  any  proof  that  the  scheme 
is  (or  can  be  made)  "unbreakable",  but  this  is  the  case  with 
most  cryptographic  systems  (including  those  mentioned  above) . 
The  only  known  method  to  certify  its  security  is  to  expose  it 
to  a concentrated  but  unsuccessful  cryptanalytic  attack;  the 
reader  is  urged  to  participate  in  this  effort  by  trying  to 
break  the  proposed  scheme,  and  to  find  its  variants  which 
withstand  the  cryptanalytic  attack  best.  One  line  of  attack 
which  deserves  special  attention  and  close  study  is  the 
statistical  method  mentioned  in  section  3.1. 

2.  The  basic  scheme 
2.1  Knapsack  systems 

The  knapsack  problem  considered  in  this  paper  is  an  exten- 
sion of  the  one  defined  in  Karp  [ 5 ] ; 


Given  k+2  integers  a^,...,a^,n  and  m,  find  a 


solution  (if  one  exists)  for  the  modular 

equation 

k 

(1)  m = l c .a . (mod  n) 

j = l 3 3 


in  which  each  c 
0 <_  Cj  logn. 


j 


is  a small  integer  in  the  range 


It  is  easy  to  extend  Karp's  original  reduction  (from  the  exact 
covering  problem)  to  show  that  this  variant  is  also  an  NP- 
complete  problem,  and  thus  the  worst  case  complexity  of  any 
algorithm  which  solves  it  is  strongly  believed  to  be  non- 
polynomial . 

The  signature  schemes  we  develop  are  based  on  particular 
instances  of  this  problem.  We  use  the  words  a knapsack  system 
to  denote  the  knapsack  problem  in  which  a^,...^^  and  n are 
fixed  numbers,  and  the  only  variable  is  m.  The  interesting 
values  of  m are  in  the  interval  0 <_  m < n , and  thus  any 
knapsack  system  is  just  a finite  collection  of  instances  of  the 
knapsack  problem.  Since  (at  least  in  theory)  it  is  possible 
to  extract  the  solutions  of  these  instances  from  a finite 
precomputed  table,  it  is  hard  to  define  the  difficulty  of 
solving  a particular  knapsack  system  in  a precise  mathematical 
way.  Our  usage  of  "easy"  and  "difficult"  in  this  paper  will 
thus  be  based  on  their  intuitive  meaning:  A knapsack  system 
is  "difficult"  if  the  only  apparent  way  of  solving  its 
instances  is  by  a (more  or  less)  exhaustive  search,  and  "easy" 
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A knapsack  system  can  be  used  to  generate  signatures  in 
the  following  way.  Party  A chooses  and  publishes  a knapsack 
system  a^,...,a^,n  which  is  apparently  difficult,  but  which 
can  actually  be  solved  quickly  by  using  some  secret  structure 
embedded  in  it.  Given  a message  m,  A signs  it  by  using  his 
shortcut  method  to  find  a solution  for  equation  (1) , and  sends 
the  k-tuple  (c^,...,ck)  as  his  signature,  along  with  m.  The 
receiver  B can  easily  plug  the  message  m,  the  signature 
c.,...,c  and  the  published  numbers  a , ...,a,  and  n into  (1), 
and  verify  that  the  equation  holds.  If  party  C (or  B himself) 
wants  to  forge  A's  signature  on  another  message  m' , it  has  to 
solve  that  particular  instance  of  A's  knapsack  system.  Note 
that  in  order  to  be  useful  in  generating  signatures,  A's 
knapsack  system  must  be  generative , i.e.  , all  its  instances 
(with  0 <_  m < n)  must  have  at  least  one  solution. 

2.3.  How  to  construct  knapsack  systems. 

In  order  to  make  the  construction  process  clearer,  we 
use  typical  numbers  and  sizes  in  the  description  that  follows. 

All  the  numbers  involved  are  100  bits  long,  and  the  knapsack 
system  contains  200  numbers  a^,...,a2QQ. 

Party  A starts  by  choosing  a random  100  bit  prime  number  n 
and  a 100x200  0-1  matrix  [e.^]  whose  entries  are  chosen  at  random. 
The  numbers  a^,...,a2QQ  are  defined  to  be  some  solution  of  the 
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following  system  of  modular  linear  equations  (we  use  row  indexes 
0 to  99  in  order  to  simplify  the  subsequent  formulas): 


e0,l  ’ * * e0,200 


(mod  n) 


e 99  , l * * ' e 99 


i 

,200 


Since  there  are  only  one  hundred  equations  in  two  hundred 

unknowns,  we  can  choose  * • • • 'a200  at  random  and  solve  for 

The  probability  of  getting  stuck  in  this  process 

is  very  small,  since  the  reduced  lOCblOO  matrix  (which  is  the 

left  half  of  (e^))  can  be  singular  only  if  its  determinant  is 

an  exact  multiple  of  the  huge  prime  n.  Even  if  this  happens, 

we  just  have  to  choose  another  random  matrix  and  try  again. 

The  generated  numbers  a.  are  randomly-looking 

100-bit  integers,  which  have  the  property  that  any  power  of  2 
0 99 

between  2 and  2 can  be  expressed  as  the  sum  of  some  subset 

of  them:  21  = )'.  e.  a..  However,  the  problem  of  reversing  the 
j ID  3 

process  and  finding  the  coefficients  e^ . with  which  each  power 
21  can  be  represented  (merely  by  looking  at  the  a.'s  ) is 
essentially  the  knapsack  problem,  and  thus  is  assumed  to  be 
extremely  hard. 

2^4 . How  to  sign  —preliminary  approach. 


In  order  to  sign  a given  message  m,  A writes  it  as  a sum 
99  i th 

of  powers  of  2,  m=  m 2 .where  m.  is  the  i bit.  in  m's 

i=0  1 1 

binary  representation.  Each  power  of  2 can  be  represented 


/ 
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in  terms  of  the  a_.'s  > and  thus 


(3) 


m 


99 

l 

m . 2 = 

99 

l 

m . 

r 200 

l 

i=0 

1 j 

L=0 

1 

lj  = l 

200 

99 

200 

l 

3 = 1 

F m. e . . 

li-o  1 

a . 

\ 3 

l 

3 = 1 

e . . a . 

ID  3 


3 3 


99 


Each  coefficient  c.  = ) me.  . is  an  integer  between  0 and 

3 i“0  i 13 

99  1 u 


l e . . <_  100  = log  n , end  thus  (c.  , . . . ,c,nn ) is  a legal 
i=0  13  1 ^uu 


solution  of  the  knapsack  system.  For  technical  reasons,  it  is 


convenient  to  choose  the  [e. .]  matrix  in  such  a way  that  the 


ID 


99 


number  of  l's  in  each  column  ( £ e. .)  is  exactly  63,  since 

- — n 13 


i=0 


then  each  c^  can  be  represented  as  a 6-bit  integer  (whose 


average  value  is  31.5).  This  size  restriction  can  be  made  an 
extra  condition  that  valid  signatures  must  satisfy,  besides 
satisfying  equation  (1). 

An  intuitive  way  of  looking  at  the  signing  procedure  is  to 


consider  each  row  of  the  [e^]  matrix  as  a 200- tuple  of  0's 


and  l's,  and  to  add  together  (componentwise)  all  the  rows 
corresponding  to  1 bits  in  the  binary  representation  of  m. 


Note  that  the  values  of  the  a^  are  not  used  in  this  process 


— all  we  need  is  the  [e^]  matrix  stored  in  memory. 


This  signing  procedure  is  insecure,  since  anyone  who  has 
enough  examples  of  message-signature  pairs  can  find  the  [e^.J 
matrix,  and  thus  forge  arbitrary  messages.  The  reason  is  that 
each  time  A signs  a message  m,  he  reveals  two  hundred  linear 
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equations 


(4) 


99 

) m . e . 

i-0  1 13 


1 < j < 200 


in  which  the  nr  and  the  are  known  (from  the  given  pair), 
and  the  only  unknowns  are  the  20,000  e^..  When  20,000  such 
equations  have  been  accumulated,  they  can  be  solved  and  the 
e^j  can  be  found. 

2.5.  How  to  sign  properly . 

To  solve  the  insecurity  problem,  we  randomize  the  bits  of 
m before  we  sign  it,  so  that  both  the  nr  and  the  e^.  in 
equation  (4)  become  unknown.  Each  message-signature  pair  thus 
introduces  200  fresh  variables  nr  into  the  (non-linear! ) 
system  of  equations,  and  thus  the  number  of  equations  always 
lags  behind  the  number  of  unknowns. 

There  are  many  ways  in  which  m's  bits  can  be  randomized, 
but  perhaps  the  simplest  is  to  subtract  from  m a randomly 
chosen  subset  of  the  a/s  : 


(5) 


m’ 


200 

m - l 
j-1 


Vj 


(mod  n) 


(where  each  6^  is  0 or  1),  and  then  use  the  method  of  section 
2.4  to  sign  the  bits  of  m*  instead  of  the  bits  of  m: 


200 


7 c . a . 
j = l ^ 3 


(6) 


m' 


(mod  n)  . 
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The  signature  of  m'  can  now  be  easily  transformed  back  into  a 
signature  of  m by  combining  (5)  and  (6)  : 

200  200 

(7)  m = l (c  ' + S.)a,  = T c-a  (mod  n)  . 

j=l  3 3 3 j=l  3 3 

The  chance  that  some  coefficient  cj  = cj  + ^j  overflow 

its  six  bit  size  is  very  small;  even  if  it  does,  we  just  try 
again. 

The  reason  we  add  to  m a big  subset  of  the  a Vs  is  that 
we  want  to  randomize  its  bits  in  a completely  unpredictable 
way  before  we  sign  it.  If  the  number  of  possible  m'  to  which 
m could  be  transformed  was  small,  a cryptanalyst  could 
successively  try  all  of  them  when  using  the  equational  method 
of  the  previous  section.  The  number  we  subtract  from  m is  not 
exactly  a uniformly  distributed  random  number,  since  the 
probability  of  subtracting  r is  proportional  to  the  number  of 
different  subsets  of  the  a^'s  which  sum  up  to  r.  However, 
this  probability  distribution  is  so  hard  to  analyze  that  it 
seems  to  be  imp'ssible  to  exploit  its  slight  non-uniformity 
in  order  to  infer  the  value  of  m'  from  that  of  m. 

3.  Security  considerations. 

3.1.  Cryptanalytic  approaches. 

The  following  list  of  four  cryptanalytic  approaches  is 
illustrative,  but  certainly  not  exhaustive: 


.WWW" 
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1)  Static  analysis:  Without  having  any  concrete  examples 

of  A ' s signatures,  the  cryptanalyst  C might  try  to  analyze 
the  published  data  (i.e.,  the  numbers  a^,. . . ja^gQ  and  n) 
in  order  to  discover  its  hidden  structure.  As  noted  in 
section  2.3,  it  seems  extremely  unlikely  that  C will  be 
able  to  find  the  [e^]  matrix  or  any  other  quick  way  of 
signing  messages. 

2)  Dynamic  analysis:  C might  try  to  forge  A's  signature  on  a 

new  message  m by  combining  known  signatures  on  other 

messages.  For  example,  if  m can  be  written  as  the  numerical 

sum  of  two  messages  m and  n , , which  A had  previously  signed 

1 - 

11  2 2 

as  (cL, . . . ,c20Q)  and  (Cj , . . . ,c20q) , resPectlveiV * then 
12  11 

(C1  + ci***‘,c200  + C200^  be  a legal  signature  of  m. 

12  . . 

To  be  legal,  each  c^  + c^  must  be  a 6 bit  integer. 

When  a larger  number  of  signatures  (say,  a few  tens) 
are  added  or  subtracted,  it  becomes  very  hard  to 
keep  all  the  coefficients  in  their  0-63  interval 
simultaneously.  Therefore  even  if  C has  a complete 
set  of  legal  signatures  of  the  powers  of  2,  he  would 
not  be  able  to  use  them  to  sign  messages  with  more  than 
a few  1 bits.  In  addition,  we  shall  usually  compactify 
messages  before  signing  them  (i.e.,  both  the  signer  and 
the  verifier  will  use  some  standard  length-reducing  and 
hard-to-invert  function  in  order  to  transform  arbitrarily 


i 
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long  messages  into  single  100-bit  numbers,  so  that  their 
signatures  remain  short).  In  compact  forms,  even  messages 
which  differ  in  a single  bit  become  completely  different, 
and  thus  C cannot  hope  to  "compose"  a desired  forged 
message  from  a small  number  of  known  messages. 

3)  Planted  messages:  If  C can  cause  A to  sign  certain  special 
messages  (using  an  unfaithful  employee  of  A or  otherwise) , 
he  might  hope  to  benefit  from  watching  the  resultant 
signatures.  For  example,  in  the  simple  signing  procedure 
of  section  2.4,  the  signature  of  a message  of  the  form  21 
immediately  reveals  a complete  row  of  (e^].  Due  to  the 
randomization  process,  it  is  very  unlikely  that  any  of 
these  messages  will  ever  be  signed  as  m1  (regardless  of 
what  the  original  message  m was) , and  thus  there  seem  to 

be  no  "dangerous  messages"  from  which  the  cryptanalyst 
can  benefit.  As  a further  precaution,  it  might  be  useful 
to  re-randomize  instead  of  signing  any  m'  in  which  the 
number  of  1 bits  is  under  35  or  over  65.  This  guarantees 
that  every  signature  (c^ , . . . ,c2qq)  is  the  sum  of  many, 
but  not  most,  of  the  rows  of  [e^]. 

4)  Statistical  analysis:  This  approach  seems  to  be  the  most 
viable  way  of  discovering  the  [e^l  matrix.  Since  each 
signature  (c^ , . . . ,c2qq)  the  sum  of  a randomly  chosen 
subset  of  matrix  rows,  we  can  statistically  analyze  large 
collections  of  signatures  in  order  to  find  the  structure 
of  the  matrix.  The  analysis  concentrates  mainly  on  the 


I 
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correlations  between  the  values  of  the  c^'s  in  order  to 
discover  successively  larger  patterns  of  0's  and  l’s  in 
[e^j].  This  analysis  is  quite  subtle,  and  there  seem 
to  be  many  ways  in  which  it  can  be  led  astray. 

3.2.  Variations  which  might  increase  the  security  of  the  system. 

In  this  section  we  mention  three  methods  by  which  the 
structure  of  the  signatures  can  be  made  more  obscure  and 
harder  to  analyze. 

1)  The  6j  in  the  randomization  process  can  be  chosen  according 
to  some  non-uniform  distribution,  in  which  the  various  6^ 
are  strongly  correlated.  When  added  to  the  signature 

(c^, . . . ,c^0Q)  of  m' , the  6j  introduce  irrelevant  correlations 
which  are  not  generated  by  the  [e.^]  matrix.  If  the  dis- 
tribution of  the  (5^  values  is  kept  secret,  the  statistical 
methods  can  become  unreliable.  In  order  to  strengthen 
this  effect,  it  might  be  necessary  to  allow  bigger  values 
of  6^  (say,  between  0 and  15). 

2)  In  any  cryptanalytic  system,  it  is  advisable  to  change 
the  keys  from  time  to  time,  since  it  reduces  the  chance 

I 

of  successful  cryptanalytic  attacks.  This  technique  is 
particularly  useful  in  signature  systems,  since  a key 
discovered  by  the  cryptanalyst  after  it  has  been 
replaced  is  quite  useless  (unlike  privacy-ensuring 
systems,  in  which  the  replaced  keys  must  be  kept  secret 


until  the  messages  themselves  can  be  made  public) . 


In  military  applications,  keys  are  usually  replaced 
after  a few  days'  use.  Such  a frequent  change  is  quite 
inconvenient  in  big  commercial  public  key  networks,  since 
the  signature  directory  has  to  be  updated  and  consulted 
constantly.  We  now  show  that  in  the  system  proposed  in  - 

this  paper,  it  is  possible  to  benefit  from  frequent  "key 
changes"  without  changing  any  of  the  numbers  published  in 
the  directory. 

The  main  idea  is  that  the  signature  procedure  uses 
the  secret  fe.^]  matrix,  rather  than  the  published 
numbers  a ^ . Since  the  system  of  equations  (2)  is  highly 
degenerate,  the  same  published  numbers  can  be  generated 
by  many  other  matrices.  The  signing  machine  can  decide 
at  any  time  to  switch  to  a new  such  matrix,  without 
notifying  the  directory  or  even  its  operator;  the 
generated  signatures  will  be  determined  by  the  new  matrix 
and  will  thus  have  a new  and  different  statistical 
behavior,  but  the  verification  procedure  will  remain 
unchanged.  Typically,  we  shall  change  the  published 
numbers  once  or  twice  a year,  and  "unofficially"  change 
the  matrix  once  a day  (or  after  a predetermined  number 
of  signatures  are  generated) . 

One  way  of  obtaining  such  a two-level  system  is 
to  use  the  original  [e^j]  matrix  as  a seed  which  enables 
us  to  grow  new  matrices  at  will.  Let  [ ^ ] be  a 100x200 
matrix  whose  ifc^  row  is  some  signature  of  21  in  the 

f ' I 
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[e^j]  system  (due  to  the  randomization  process,  there 
is  an  almost  inexhaustible  supply  of  distinct  l E ^ ^ ] 
matrices).  It  is  easy  to  verify  that  (a1 , . . . ,a200) 
remains  a solution  of  equation  (2)  when  (e^J  is 
replaced  by  [E^l,  and  thus  messages  can  be  signed 
and  verified  in  the  new  lE^jl  system  without  changing 
the  published  numbers.  The  only  significant  difference 
is  that  the  entries  in  this  matrix  are  six-bit  integers 
instead  of  0's  and  l's,  and  thus  correspondingly  larger 
(12-bit  instead  of  6-bit)  coefficients  must  be  allowed 
in  the  signatures. 

The  security  of  the  system  is  based  on  the  fact  that 

we  use  relatively  few  [ E ^ j ] matrices,  each  one  of  which 

is  used  to  sign  relatively  few  messages  (by  "relatively 

few"  we  mean  0(/n),  where  n is  the  total  number  of 

messages  signed) . This  implies  that  the  statistical 

cryptanalytic  methods  are  less  likely  to  succeed  in 

finding  any  of  the  [E..J  matrices,  or  in  finding  the 

* ] 

common  seed  [e^j]  used  in  their  generation  (for  this 
part  we  may  even  assume  that  all  the  (E^l  matrices  are 
known) . 

Instead  of  using  one  [ E ^ ^ ) matrix  at  a time,  we  can  use 

two  of  them  simultaneously.  For  each  21  we  now  have 

t hi 

two  possible  representations,  given  by  the  1 row  of 
the  first  matrix  and  the  ifc^  row  of  the  second  matrix. 
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When  we  sign  a message,  we  choose  for  its  i^*1  bit  the 
first  or  second  representation  with  probabilities 
and  1-P.^,  respectively.  This  system  behaves  statisti- 
cally as  if  we  were  using  a single  matrix  whose  rows  are 
the  weighted  mean  of  the  rows  -of  the  two  matrices. 

While  either  one  of  these  two  matrices  can  be  used  in 
order  to  forge  signatures,  their  weighted  mean  cannot. 
Note  that  the  entries  of  this  matrix  can  be  arbitrary 
real  numbers  rather  than  integers,  which  makes  the  task 
of  discovering  it  much  more  complicated. 


4.  Conclusions. 

There  are  two  main  problems  in  public-key  communications: 
privacy  and  signature  generation.  The  Merkle-Hellman  system 
and  our  system  are  complementary  in  the  sense  that  they  solve 
the  first  and  second  problem,  respectively.  Both  systems 
are  based  on  the  knapsack  problem,  but  they  use  differently 
structured  keys.  Most  operations  in  these  two  systems  are 
modular  additions,  which  require  little  hardware  and  can  be 
performed  fast. 

The  main  open  problem  in  the  proposed  signature  system 
concerns  its  security.  Some  specific  questions  are: 

(i)  Which  cryptanalytic  approaches  have  a chance  to  succeed? 

(ii)  How  complicated  are  they  and  what  are  the  resources 
they  require? 

(iii)  What  is  the  relation  between  the  size  of  the  knapsack 
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system  an^\its  security? 

\ 

(iv)  How  should  the  user  choose  his  knapsack  system?  How 
can  he  test  the  security  of  his  particular  choice? 

(v)  For  how  long  can  a chosen  knapsack  system  be  used? 

(vi)  Can  arbitrary  signatures  be  forged  without  knowing  the 
[e^l  matrix? 

(vii)  Which  precautions  should  the  signer  take  when  signing 
messages? 
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